Académique Documents
Professionnel Documents
Culture Documents
Legal Notice
Copyright 2016 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo and the Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to
provide attribution to the third party (Third Party Programs). Some of the Third Party Programs
are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under those
open source or free software licenses. Please see the Third Party Legal Notice Appendix to
this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Symantec as on premises
or hosted services. Any use, modification, reproduction release, performance, display or
disclosure of the Licensed Software and Documentation by the U.S. Government shall be
solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base.
The Technical Support group works collaboratively with the other functional areas
within Symantec to answer your questions in a timely fashion. For example, the
Technical Support group works with Product Engineering and Symantec Security
Response to provide alerting services and virus definition updates.
Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount
of service for any size organization
For information about Symantecs support offerings, you can visit our website at
the following URL:
support.symantec.com
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Hardware information
Operating system
Network topology
Problem description:
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
customercare_apj@symantec.com
semea@symantec.com
supportsolutions@symantec.com
Contents
Chapter 2
10
10
12
12
14
14
14
17
17
17
18
18
19
20
22
24
24
25
26
27
31
32
33
33
Contents
Chapter 3
Chapter 4
Post-upgrade tasks
34
36
42
47
............................................................ 54
Chapter 5
Chapter 6
Index
62
63
63
63
64
64
65
66
68
69
.................................................................................................................... 70
Chapter
Preparing to upgrade
Symantec Data Loss
Prevention
This chapter includes the following topics:
Preparing the Oracle database for a Symantec Data Loss Prevention upgrade
About the minimum system requirements for upgrading to the current release
Phase
Action
Description
10
Table 1-1
Phase
Action
Description
Prepare the system for upgrading: This preparation See Preparing your system for the upgrade
includes backing up the Oracle database and
on page 18.
detection server data. If the upgrade fails you can
use these backups to restore your system.
Upgrade Symantec Data Loss Prevention Agents. See About Symantec Data Loss Prevention Agent
upgrades on page 34.
11
Table 1-1
Phase
Action
Description
Complete the required and optional post-upgrade See Performing post-upgrade tasks on page 54.
tasks.
Run the upgrade data pre-checker tool to check your current database against
the new constraints introduced in Symantec Data Loss Prevention 14.5.
See Using the upgrader data pre-checker tool on page 12.
Back up the Oracle database before you start the upgrade. You cannot recover
from an unsuccessful upgrade without a backup of your Oracle database. For
more information, see the Symantec Data Loss Prevention Oracle 11g Installation
and Upgrade Guide.
12
The upgrader data pre-checker tool is available in the Upgrade folder in the Platform
ZIP file that contains your Symantec Data Loss Prevention software:
Symantec_DLP_14.5_Platform_Win-IN.zip
On the Oracle host computer or other computer with access to your Oracle
host computer, log on as the Oracle user.
The script runs for a few minutes and generates the report:
Upgrader_Data_Prechecker.html.
Open the report in a web browser to view the results, then take one of the
following actions:
If the report does not list any violated constraints, proceed with the upgrade
process.
13
Detection server: 750 MB of free disk space on the volume where the server is
installed.
Note: These numbers refer to the free disk space needed for the upgrade process,
not the disk space that is required for server operation. For server disk space,
operating system, and other requirements, see the Symantec Data Loss Prevention
System Requirements and Compatibility Guide.
See About preparing to upgrade Symantec Data Loss Prevention on page 10.
14
If your agents and Endpoint Servers are on versions earlier than 14.0, do not restart
the Endpoint Server. If you restart the Endpoint Server when it is not on the current
version, all policy and all configuration information is lost.
If all of the policy and the configuration information is lost, you must upgrade the
Endpoint Server and the agents to the most current version. Upgrade Endpoint
Servers to version 14.5. Upgrade agents to version 12.0 (at a minimum) or 14.5.
When you upgrade to the current version, first upgrade the Endpoint Server then
upgrade agents. For example, if you have a version 11.6.3 Enforce Server, and
version 10.0 Endpoint Server and agents, you upgrade the Endpoint Server to
version 12.0 and then upgrade the agents to version 12.0. You can then upgrade
from version 12.0 to version 14.0, and then to 14.5. Upgrading the Endpoint Server
first ensures that your servers and agents are in a supported configuration.
The most stable configuration is for all Enforce Servers, Endpoint Servers, and
agents to be on version 14.5. Ideally, you will only be on one of the following
backward-compatible scenarios for a limited time as you upgrade all servers and
agents to version 14.5.
Table 1-2
Enforce Server
version
Endpoint Server
version
Symantec DLP
Agent version
Results
14.5
14.5
14.5
14.5
14.5
14.0
12.5.x
12.0.x
15
Table 1-2
Enforce Server
version
Endpoint Server
version
Symantec DLP
Agent version
Results
14.5
14.0
14.0
12.5.x
12.5.x
12.0.x
Policies and
configuration settings
cannot be sent to
Endpoint Servers and
agents.
If the Endpoint Server
restarts, all policies
and configurations
are lost. Incidents are
no longer sent to the
server.
14.5
12.0.x
12.0.x
16
You must stop all Network Discover scans before you upgrade the Enforce
Server to version 14.5. You cannot restart Network Discover scans until at least
one Network Discover detection server has been upgraded to version 14.5.
If a version or 12.x detection server stops (shuts down) after you have upgraded
the Enforce Server to version 14.5, you must upgrade that detection server to
version 14.5 before it can restart.
After you upgrade the Enforce Server to version 14.5, any configuration changes
that you make have no effect on version 12.x detection servers.
After you complete the upgrade, do not modify the host name or IP address of
a detection server to point to a different detection server. Detection servers use
the original configured IP address or host name to maintain and report
server-level statistics.
Restart the Vontu Monitor Controller service to verify the upgraded detection
server versions in the Enforce Server administration console.
See About preparing to upgrade Symantec Data Loss Prevention on page 10.
Through the Upgrade Wizard, which you access through the Enforce Server.
The Upgrade Wizard provides the easiest and most efficient way to upgrade
Symantec Data Loss Prevention.
See Performing an upgrade with the Upgrade Wizard on page 27.
17
See About preparing to upgrade Symantec Data Loss Prevention on page 10.
18
If you choose to store your incident attachments on the Enforce Server host
computer, do not place your storage directory under the /SymantecDLP/ folder.
Ensure that both the external storage server and the Enforce Server are in
the same domain.
Create a "protect" user with the same password as your Enforce Server
"protect" user to use with your external storage directory.
If you are using a Linux system for external storage, change the owner of
the external storage directory to the external storage "protect" user.
If you are using a Microsoft Windows system for external storage, share the
directory with Read/Write permissions with the external storage "protect"
user.
After you have set up your storage location you can enable external storage for
incident attachments in the Upgrade Wizard. After you have upgraded your system
to Symantec Data Loss Prevention 14.5, all new incident attachments will be stored
in the external storage directory. In addition, a migration process runs in the
background to move your existing incident attachments from the database to your
external storage directory. Incident attachments in the external storage directory
cannot be migrated back to the database. Incident attachments stored in the external
storage directory are encrypted and can only be accessed from the Enforce Server
administration console.
The incident deletion process deletes incident attachments in your external storage
directory after it deletes the associated incident data from your database. You do
not need to take any special action to delete incidents from the external storage
directory.
19
If you do not want Symantec Data Loss Prevention to automatically distribute your
detection server upgrade packages, you can disable the automatic distribution
feature.
See Downloading and extracting the upgrade software on page 24.
Note: Only detection servers running Symantec Data Loss Prevention version 12.5
or later can receive the automatically distributed patches. Detection servers running
Symantec Data Loss Prevention version 12.0.x receive their patch files during the
upgrade process.
Prepare for upgrading your detection servers by reviewing the following prerequisites:
Make sure that the Symantec Data Loss Prevention services on each detection
server are running before you start the upgrade.
See Verifying that the Enforce Server and the detection servers are running
on page 25.
Upgrade your detection servers to Symantec Data Loss Prevention version 14.0
or later. Version 12.x or older detection servers are not compatible with the
version 14.5 Enforce Server.
Upgrade your Endpoint Servers to version 14.5 to ensure that your DLP Agents
can receive updated policies and configurations.
Before performing an upgrade using the Upgrade Wizard, verify that all the
detection servers to be upgraded are connected.
If a detection server is disconnected when you upgrade the Enforce Server
using the Upgrade Wizard, you can upgrade it later by re-running the Upgrade
Wizard, or by performing a local (manual) upgrade.
Before locally upgrading any detection server, you must run the Upgrade Wizard
to upgrade the Enforce Server.
Make sure that all Network Discover scans are halted before starting the upgrade.
20
server that is older than 14.0, first perform a local upgrade of that detection server
to 14.0. You can then use the Upgrade Wizard to upgrade the detection server to
14.5.
See Verifying that the Enforce Server and the detection servers are running
on page 25.
See Preparing your system for the upgrade on page 18.
21
Chapter
Verifying that the Enforce Server and the detection servers are running
Note: If you are upgrading your system and you have deployed Exact Data Matching
(EDM) profiles and policies, there is a specific upgrade path you need to perform
so that your profiles and policies update properly.
Table 2-1
Step
Action
Description
10
23
Copy the ZIP files to the computer from where you intend to perform the
upgrade. That computer must have a reliable network connection to the Enforce
Server.
The files within this ZIP file must be extracted into a directory on a system that
is accessible to you. The root directory into which the ZIP files are extracted
is referred to as the DLPDownloadHome directory.
endpoints. You use these files when you generate the agent installation
package.
use this file when you generate the agent installation package.
Note where you saved the upgrade JAR, MSI, and PKG files so you can quickly
find them later.
24
Where port equals the number of the port you want the Upgrade Wizard to
use.
Enter a unique port number. Other applications on the Enforce Server host
cannot use the same port. Verify that firewalls do not block the port number
you enter. If firewalls block the port number you cannot access the Upgrade
Wizard from a different computer than the Enforce Server host.
For example, the following line configures the Upgrade Wizard to use port
5555:
update.wizard.port=5555
See Verifying that the Enforce Server and the detection servers are running
on page 25.
See Upgrading Symantec Data Loss Prevention on page 22.
Go to System > Servers and Detectors > Overview and check that the
Symantec Data Loss Prevention servers are running.
See Launching the Upgrade Wizard on the Enforce Server on page 26.
25
Make sure that the JAR file you extracted earlier when you performed the
upgrade prerequisite steps is available.
See Downloading and extracting the upgrade software on page 24.
If your installation uses FIPS encryption, your browser will not be able to redirect
from the Enforce Server administration console to the Upgrade Wizard user
interface. In this case, you must manually browse to https://Enforce_server:8300.
(If you have changed the Upgrade Wizard port number, use that port number
in the URL.)
Ensure that all detection servers are running and are connected to the Enforce
Server.
See About Symantec Data Loss Prevention services on page 57.
Click Upgrade.
The Upgrade System pop-up window appears.
26
From the directory that includes that JAR file, select the file and click Open.
The name of the file is 14.5_Upgrader_Windows.jar.
On the page where you encountered the error, click the Log Files link.
Try to resolve the error, and then launch the Upgrade Wizard again.
These procedures assume that you have already launched the Upgrade Wizard.
See Launching the Upgrade Wizard on the Enforce Server on page 26.
To upgrade the Enforce Server
On the Symantec Data Loss Prevention Upgrader Login panel, enter the
Administrator user name and password, and then click logon.
The License Agreement panel appears.
Click Accept.
The System Check panel appears. When you click Next, the Upgrade Wizard
verifies that you have the minimum software version level required to upgrade
to the current release version.
Click Next.
One of the following two outcomes results:
If the check was successful, the System Check Succeeded panel appears.
27
If at any point you see a message box stating that the upgrade has failed,
click Cancel. Fix the reported problem that is shown in the panel. After
fixing the problem, log on to Enforce, and launch the upgrade again.
Click Next.
If you selected automatic detection server package distribution, the Detection
Server Upgrade Package Distribution Status page appears. This page
displays the status of the package distribution process. When the packages
have been distributed, proceed to the next step.
Click Next.
The Welcome to Symantec Data Loss Prevention Upgrader panel appears.
A prompt warns you that any language packs you have installed from a previous
version of Symantec Data Loss Prevention will be deleted. You must install
new language packs for the current version of Symantec Data Loss Prevention
later in the upgrade process.
Click Next.
The Pre-check panel appears and the Upgrade Wizard begins performing
pre-upgrade tasks. The tasks include extracting necessary upgrade files and
stopping Symantec Data Loss Prevention services.
28
If an error occurs, a message to that effect appears. Consult the logs for
information, correct the problem, and launch the upgrade again.
Note: If you launch the Upgrade Wizard again to upgrade the remaining
detection servers, the utility does not repeat the Enforce Server upgrade.
13 Click Next.
The Enable Symantec DLP Supportability Telemetry panel appears.
14 If you plan to share system information with Symantec, perform the following
steps:
29
15 Click Next.
The Upgrade Detection Servers panel appears.
16 After the detection server upgrade packages have been distributed automatically
or manually, select the detection servers you want to upgrade then click
Upgrade.
The wizard creates a compressed file, called
SymantecDLPDetectionBackup_previousVersion.zip. This compressed file
contains all of the files in your file system. It puts the compressed file in a new
update directory
(\SymantecDLP\Protect\updates\SymantecDLPDetectionBackup). Then it
installs new ones.
After the wizard upgrades the detection servers you selected, green checkmarks
appear next to those servers listed in the Upgrade Status column of the panel.
If you experienced network connectivity problems between your Enforce Server
and any detection server, you can locally upgrade those servers later. You can
also run the Upgrade Wizard again.
See Locally upgrading a detection server on page 31.
Note: When you run the Upgrade Wizard again, it does not upgrade the Enforce
Server again.
You must upgrade the Enforce Server before trying to upgrade your detection
servers. Otherwise, you receive an error message in the system events report
and the upgrade does not proceed.
Upgrade all detection servers to the same version as the newly upgraded
Enforce Server to ensure compatibility. See About upgrading the detection
servers on page 19.
17 Click Next.
The Success panel appears and prompts you to also upgrade your system
endpoints.
18 Click Finish.
The Symantec Data Loss Prevention Login panel for Enforce Server appears.
30
19 If your Symantec Data Loss Prevention deployment uses the Veritas Cluster
Server (VCS) high-availability solution, run the following script on each Enforce
Server node:
vcs_upgrade.bat <SymantecDLP> <system user name>
21 Clear your browser cache to ensure that the initial page does not appear blank
or as a previous version.
22 To verify that all of your Symantec Data Loss Prevention products are licensed
for the current release, navigate to System > Settings > General.
If necessary, you can enter additional license files by clicking Configure on
this page.
For more information, see the Symantec Data Loss Prevention Administration
Guide.
To verify the upgrade, review that your server version numbers are correct.
Go to System > Servers and Detectors > Overview and click Enforce Server
or a detection server.
Note: The new version numbers for the upgraded detection servers do not
display in the Enforce Server administration console until the Vontu Monitor
Controller service has been restarted. The service does not start until the
upgrade is complete.
Alternatively, on the Enforce Server, go to \SymantecDLP\Protect and check
Manager.ver. To check on the detection server, go to the same directory and
check Monitor.ver.
See About Symantec Data Loss Prevention Agent upgrades on page 34.
See Symantec Data Loss Prevention upgrade phases on page 10.
31
Extract the contents of the JAR file into the detectionupgrade14.5 directory.
(You can use WinZip or WinRAR to extract the contents of the JAR file.)
Make sure the files extract to the correct directory. The
start_local_upgrade.bat file must be in the
\SymantecDLP\Protect\updates\detectionupgrade14.5 directory before
Follow the options as they appear on the panel. Make sure that the destination
directory is set to the detectionupgrade14.5 directory.
32
Select all available configurations, and then click Apply and Update.
Click Done.
33
Chapter
Table 3-1
Step
Description
Process
Bundle the Mac agent installation files if you See Process to upgrade the
plan to upgrade Mac agents.
DLP Agent on Mac
on page 47.
35
36
Table 3-2 provides instructions for generating agent installation packages. The
instructions assume you have deployed an Endpoint Server.
Table 3-2
Step
Action
Description
Select one or more DLP Agent Browse to the folder on the Enforce Server where you copied the agent
installation files.
installer files:
Windows 64-bit: AgentInstall64.msi
Windows 32-bit: AgentInstall.msi
Typically you enter the common name (CN) of the Endpoint Server host,
or you can enter the IP address of the server.
Be consistent with the type of identifier you use (CN or IP). If you used
the CN for the Endpoint Server when deploying it, use the same CN for
the agent package. If you used an IP address to identify the Endpoint
Server, use the same IP address for the agent package.
Alternatively, you can enter the CN or IP address of a load balancer server.
The default port is 10443. Typically you do not need to change the default
port unless it is already in use or intended for use by another process on
the server host.
Click the plus sign icon to add additional servers for failover.
Note: Symantec Data Loss Prevention allots 2048 characters for Endpoint
Server names. This allotment includes characters that are used for the
Endpoint Server name, port numbers, and semicolons to delimit each
server.
The first server listed is primary; additional servers are secondary and
provide backup if the primary is down.
The system validates that the passwords match and displays a message
if they do not.
37
Table 3-2
Step
Action
Description
Note: Include the drive letter if you plan to change the default directory.
For example, use C:\Endpoint Agent. Not including a drive letter
causes the agent installation to fail.
9
The use of an agent uninstall password is supported for Windows 32and 64-bit agents. The uninstall password is a tamper-proof mechanism
that requires a password to uninstall the DLP Agent.
10
This action generates the agent installer package for each platform that
you selected in step 3.
If you are generating more than one package the generation process may
take a few minutes.
11
When the agent packaging process is complete, the system prompts you
to download the agent installation package. Save the ZIP file to the local
file system. Once you have done this you can navigate away from the
Agent Packaging screen to complete the process.
If you generated a single agent package, the ZIP file is named one of the
following corresponding to the agent installer you uploaded:
AgentInstaller_Win64.zip
AgentInstaller_Win32.zip
If you upload more than one agent installer, the package name is
AgentInstallers.zip. The ZIP file contains separate ZIP files named
as above containing the agent package for each platform you selected
in step 3.
See Agent installation package contents on page 38.
12
Once you have generated and downloaded the agent package, you use
it to install all agents for that platform.
38
Note: When you upgrade agents, you generate the agent installation package and
use the installation files to perform the agent upgrade.
See Generating agent installation packages on page 36.
The agent installation package for Windows agents contains the endpoint certificates,
installation files, and the package manifest.
Table 3-3
Description
AgentInstall.msi or AgentInstall64.msi
endoint_cert.pem
endpoint_priv.pem
endpoint_truststore.pem
install_agent.bat
upgrade_agent.bat
PackageGenerationManifest.mf
Package metadata
The Mac agent package contains endpoint certificates, installation files, the package
manifest, and a file to generate the installation script for the Mac OS.
Table 3-4
File
Description
AgentInstall.pkg
AgentInstall.plist
create_package
endoint_cert.pem
endpoint_priv.pem
endpoint_truststore.pem
Install_Readme.rtf
39
Table 3-4
(continued)
File
Description
PackageGenerationManifest.mf
Package metadata
40
Table 3-5
File name
Description
Generation
Deployment
Initial: On install or
upgrade of the Enforce
Server.
Regeneration: If the CA is
not in the keystore or is
renamed, on restart of the
Vontu Monitor Controller
service.
Regeneration of the CA
increments the version
number in the file name, for
example:
certificate_authority_v2.jks
certificate_authority_v3.jks
If the CA is regenerated, you
must regenerate the server
and agent keys and redeploy
the agents.
Table 3-6 lists the SSL certificate and keys, and the passwords, generated during
the agent installation packaging process.
41
Table 3-6
File name
Description
Generation
Deployment
endpoint_cert.pem
Self-signed endpoint
agent certificate
endpoint_priv.pem
Step
Action
Description
42
Table 3-7
Step
Action
Description
For the file tdifdvvvv.sys, replace vvvv with the DLP Agent version. For example,
DLP Agent version 12.5.2 would display as tdifd1252.sys.
43
44
45
/i
/q
ARPSYSTEMCOMPONENT
ENDPOINTSERVER, SERVICENAME,
Properties for the agent installation
INSTALLDIR, UNINSTALLPASSWORDKEY, package.
and WATCHDOGNAME
TOOLS_KEY, ENDPOINT_CERTIFICATE, Properties that reference the files and the
passwords that are associated with the
ENDPOINT_PRIVATEKEY,
agent certificates.
ENDPOINT_TRUSTSTORE,
ENDPOINT_PRIVATEKEY_PASSWORD, and
VERIFY_SERVER_HOSTNAME.
For details on entering this information into your particular systems management
software, see the software product documentation.
46
After you upgrade the agents, the DLP Agent service automatically starts on each
endpoint computer. Log on to the Enforce Server and go to System > Agents >
Overview, then locate the upgraded agent. Verify that the newly upgraded agent
is registered (the services should appear in the list).
See About Symantec Data Loss Prevention Agent upgrades on page 34.
Table 3-8
Step
Action
More information
47
Table 3-8
Step
Action
More information
48
Use the Terminal.app to bundle the Mac agent upgrade-related file by running
the following commands:
$ cd /tmp/MacInstaller
$ ./create_package
-i <com.company.xyz>
-t ./Tools
The following is an example of what the completed command might look like:
$ cd /tmp/MacInstaller; $ ./create_package; -i <com.company.xyz>;
-t ./Tools
After you execute the command, a message displays the package creation
status.
A file named AgentInstall_WithCertificates.pkg is created in the location
you indicated. Based on the example above,
AgentInstall_WithCertificates.pkg is created at /tmp/MacInstaller.
(Optional) If you opted to register the DLP Agent with a custom package
identifier, execute the following command to verify the custom package identity:
$ pkgutil --pkg-info <com.company.xyz>
49
See the topic "About Endpoint tools" in the Symantec Data Loss Prevention
Administration Guide.
Place tools you want to include in the PKG in the same directory where the PKG file
is located; for example use /tmp/MacInstaller.
See Packaging Mac agent upgrade files on page 48.
Table 3-9 lists the available tools.
Table 3-9
Tool type
Description
Installation
Start_agent restarts the Mac agents that have been shut down on
the Agent List screen.
Maintenance
50
Table 3-10
Step
Action
Description
Upgrade the Mac Agent from the Run the following command on the target endpoint:
command line using the Terminal
$ sudo installer -pkg
application.
/tmp/AgentInstall/AgentInstall.pkg -target /
Replace /tmp/MacInstaller with the path where you unzipped the
agent installation package.
To verify the Mac agent installation, open the Activity Monitor and search
for the edpa process. It should be up and running.
The Activity Monitor displays processes being run by logged in user and
edpa runs as root. Select View All Processes to view edpa if you are
not logged in as root user.
You can also confirm that agent was installed to the default directory:
/Library/Manufacturer/Endpoint Agent.
51
These steps assume that you have generated the agent installation package and
packaged the Mac agent installation files.
See Generating agent installation packages on page 36.
See Packaging Mac agent upgrade files on page 48.
To perform an unattended upgrade
Specify a list or range of network addresses where you want to upgrade the
DLP Agent.
Note: If messages indicate that the process failed, review the instal.log file that
is located in the /tmp directory on each Mac endpoint.
52
Table 3-11
Component
Description
Encrypted database
Log files
Database (rrc.ead)
53
Chapter
Post-upgrade tasks
This chapter includes the following topics:
Post-upgrade tasks
Verifying Symantec Data Loss Prevention operations
On Linux:
/opt/SymantecDLP_Backup_Files/Protect/lib/your_jar.jar
Copy the JAR files from your backup location to the same directory on your
upgraded system.
For example, on Windows:
C:\SymantecDLP\Protect\lib\your_jar.jar
On Linux
/opt/SymantecDLP/Protect/lib/your_jar.jar
Log out of the Enforce Server administration console and then log on as a user
other than Administrator.
Go to the System Overview screen and recycle the detection servers to verify
that they are connected.
Click on each heading in the Enforce Server navigation pane to view the data
that was carried over from the previous version.
Verify that any reports that you had saved from your previous version are still
there.
Send test emails to trigger a few existing policies and then run a traffic report
to confirm that the test messages generated incidents.
Network Discover provides incremental scanning for certain target types. After
you upgrade Symantec Data Loss Prevention, verify that incremental scanning
is configured for valid targets. See the Symantec Data Loss Prevention System
Administration Guide for information about configuring incremental scans.
55
Post-upgrade tasks
Verifying Symantec Data Loss Prevention operations
If you have deployed any Lookup plug-ins, go to the System > Lookup Plugins
screen and verify that the plug-in appears in the list of plug-ins and is configured
correctly.
For more information on performing these procedures, see the Symantec Data Loss
Prevention Administration Guide.
See Performing post-upgrade tasks on page 54.
56
Chapter
Service Name
Description
Vontu Manager
Vontu Notifier
Vontu Update
On the computer that hosts the Enforce Server, navigate to Start > All
Programs > Administrative Tools > Services to open the Windows Services
menu.
Start the Symantec Data Loss Prevention services in the following order:
Vontu Notifier
Vontu Manager
Note: Start the Vontu Notifier service first before starting other services.
See Stopping an Enforce Server on Windows on page 58.
58
To stop the Symantec Data Loss Prevention Services on a Windows Enforce Server
On the computer that hosts the Enforce Server, navigate to Start > All
Programs > Administrative Tools > Services to open the Windows Services
menu.
From the Services menu, stop all running Symantec Data Loss Prevention
services in the following order:
Vontu Manager
Vontu Notifier
On the computer that hosts the detection server, navigate to Start > All
Programs > Administrative Tools > Services to open the Windows Services
menu.
Start the Symantec Data Loss Prevention services, which might include the
following services:
Vontu Monitor
Vontu Update
On the computer that hosts the detection server, navigate to Start > All
Programs > Administrative Tools > Services to open the Windows Services
menu.
From the Services menu, stop all running Symantec Data Loss Prevention
services, which might include the following services:
Vontu Update
59
Vontu Monitor
On the computer that hosts the Symantec Data Loss Prevention server
applications, navigate to Start > All Programs > Administrative Tools >
Services to open the Windows Services menu.
Vontu Notifier
Vontu Manager
Vontu Monitor
Note: Start the Vontu Notifier service before starting other services.
See Stopping services on single-tier Windows installations on page 60.
On the computer that hosts the Symantec Data Loss Prevention server
applications, navigate to Start > All Programs > Administrative Tools >
Services to open the Windows Services menu.
From the Services menu, stop all running Symantec Data Loss Prevention
services in the following order:
Vontu Monitor
60
Vontu Manager
Vontu Notifier
61
Chapter
If you receive the following error message, FIPS encryption is most likely enabled
for your installation:
"Unable to send redirect. System update did not succeed"
This means that your browser cannot redirect from the Enforce Server
Administration Console to the Upgrade Wizard user interface. In this case, you
must manually browse to https://Enforce_server:8300.
Where Enforce_server is the name of your Enforce Server. If you have changed
the default port from 8300, use your new port instead.
Click Upgrade again and repeat the upload of the upgrade JAR file.
If neither method works, then you must manually upload the JAR file to the Enforce
Server.
See Manually uploading the JAR file to the Enforce Server on page 63.
63
The Symantec Data Loss Prevention uninstaller and installer utilities. During
installation of Symantec Data Loss Prevention, the uninstaller is saved on the
host file system in the \SymantecDLP directory.
The Symantec Data Loss Prevention license file for your deployment.
64
A backup of the Symantec Data Loss Prevention Oracle database. For more
information, see the Symantec Data Loss Prevention System Maintenance
Guide.
The type of authentication that is used in your Symantec Data Loss Prevention
deployment.
The host name or IP address and port number that the Enforce Server uses to
communicate with the Oracle database.
file. This file includes the CryptoMasterKey.properties file and the keystore files
for your previous Symantec Data Loss Prevention deployment.
Follow this procedure to create the EnforceReinstallationResources.zip file
required by the Symantec Data Loss Prevention 14.5 installer.
65
\SymantecDLP\Protect\updates\SymantecDLPEnforceBackup\
SymantecDLPEnforceBackup_previousVersion.zip
Create a ZIP archive that includes the config and keystore files. Name the
new ZIP archive EnforceReinstallationResources.zip.
Stop all Symantec Data Loss Prevention services that are running on the
Enforce Server.
See About Symantec Data Loss Prevention services on page 57.
Restore the Symantec Data Loss Prevention Oracle database from the latest
backup.
Consult your Oracle documentation for more information.
66
Copy the backup ZIP file that was created by the Upgrade Wizard to a location
outside of the DLP installation. The file is located in the following directory:
\SymantecDLP\Protect\updates\SymantecDLPEnforceBackup\.
Open the directory with the most recent timestamp. Inside this directory there
is a ZIP file named SymantecDLPEnforceBackup_previousVersion.zip that
contains the backed-up files.
Click Next.
When the uninstall process is finished the Uninstall Complete panel appears.
Click Done.
Use the installer executable for the version of Symantec Data Loss
Prevention that was deployed before you attempted the upgrade. You can
only revert to this version of Symantec Data Loss Prevention. You may
need to extract the Symantec Data Loss Prevention software ZIP file to
locate the installer executable.
When you run the installer, you are prompted for the type of server you are
installing. Select either Enforce or Detection, or select the Single Tier
option to install both the Enforce and Detection servers on a single computer.
67
When you reinstall the Enforce Server, deselect the option to Initialize the
Database.
11 Stop all Symantec Data Loss Prevention services on the Enforce Server host.
12 Delete the following directory:
\SymantecDLP\Protect\config
13 Locate the backup ZIP file that you saved in step 5 and extract it to a temporary
directory.
14 Copy the backup copy of the Protect\config directory from the temporary
directory that you created in step 13 to the \SymantecDLP\Protect\config
directory.
Stop all Symantec Data Loss Prevention services that are running on the
detection server host.
Copy the backup ZIP file created by the Upgrade Wizard to a location outside
of the DLP installation. The file is located in the following directory:
\SymantecDLP\Protect\updates\SymantecDLPDetectionBackup\.
Open the directory with the most recent timestamp. Inside this directory there
is a ZIP file named SymantecDLPDetectionBackup_previousVersion.zip
that contains the backed-up files.
Note: If the uninstaller executable is not available on the detection server host,
you may need to extract the Symantec Data Loss Prevention software ZIP file
to locate the uninstaller executable.
If the uninstaller fails, you can manually uninstall the detection server. See
Manually uninstalling the Enforce Server or a detection server on page 69.
68
Reinstall the detection server. You must use the correct version of the installer
for the version to which you are upgrading.
Follow the instructions for installing a detection server in the Symantec Data
Loss Prevention Installation Guide for Windows for the version of Symantec
Data Loss Prevention that your are installing.
Note the following before reinstalling Symantec Data Loss Prevention:
Use the installer executable for the version of Symantec Data Loss
Prevention that was deployed before you attempted the upgrade. You can
only revert to this version of Symantec Data Loss Prevention. You may
need to extract the Symantec Data Loss Prevention software ZIP file to
locate the installer executable.
When you run the installer, you are prompted for the type of server you are
installing. Select Detection.
If you have made any manual changes to configuration files on the file system
of the detection server host, you must restore those configuration files from
the backup created by the Upgrade Wizard.
Locate the backup ZIP file that you saved in step 2 and extract the file using
WinRAR to a temporary directory. The detection server configuration files are
located in the following directory: \SymantecDLP\Protect\config
Use the Local Users and Groups tab in the Computer Management
administration tool to delete the Symantec Data Loss Prevention user.
69
Index
Agent configuration
updating 32
Agent upgrade 14, 23, 34, 4344
language packs
upgrading 17
languages
language packs 17
Linux operating system 14
local upgrade 31
14_5DetectionUpgradePackage.jar file 32
start_local_upgrade.bat file 32
upgrade directory 32
B
Backward compatibility
Symantec DLP Agents and servers 14
D
detection servers
14_5DetectionUpgradePackage.jar file 32
local upgrade 3031
requirements 14
reverting to the previous release 68
start_local_upgrade.bat file 32
Upgrade Wizard 25
disk space 14
DLPDownloadHome directory 24
M
mixed operating systems 14
O
operating systems, mixed 14
Oracle database
preparations 12
post-upgrade tasks 54
restore additional JAR files 54
verifying 55
preparations
detection servers 25
Oracle database 12
scans, halting 20
software download 24
FIPS encryption
Upgrade Wizard 63
requirements
Enforce Server 14
reverting upgrade
detection servers 68
group directories
upgrading 33
K
known issues 17
S
scanners 33
scans, halt before upgrading 20
Skip Remaining Servers option 30
Index
software download 24
start_local_upgrade.bat file 32
Symantec DLP Agent
backward compatibility for agents and servers 14
installing with system management software 51
Mac
installed aspects 52
upgrade 47
upgrading major versions manually 43
upgrading major versions silently 44
upgradingversions 34
U
Unable to send redirect message 63
upgrade 54
See also post-upgrade tasks
detection servers 25
disk space 14
errors, upload 63
JAR file, manual upload 63
known issues 17
operating systems, mixed 14
Oracle database 12
phases 10
requirements 14
scanners 33
scans, halting 20
software download 24
stages 10
verifying 55
upgrade directory 32
Upgrade Wizard
detection servers 25
FIPS encryption 63
JAR file, manual upload 63
Skip Remaining Servers option 30
starting 26
starting, manually 64
upload errors 63
upgrading
major versions 34
V
verifying the upgrade 55
Vontu services
starting 5860
stopping 5860
W
Windows operating system 14
71